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Description 

The present invention relates to an enciphering method, deciphering method, recording and reproducing device, 
deciphering device, deciphering unit device, recording medium, recording-medium manufacturing method, and key 
s control method which are for preventing the digitally recorded data from being copied from a recording medium. 

Compact disks and laser disks have been available as recording mediums that record digitized data (e.g., docu- 
ments, sound, images, or programs). Floppy disks and hard disks have been used as recording mediums for computer 
programs and data. In addition to those recording mediums, a DVD (digital video disk), which is a large-capacity re- 
cording medium, has been developed. 
10 Since the aforementioned various digital recording mediums record the digital data (including the compressed or 

encoded data, which can be decoded later) as it is, the recorded data can be copied easily to another recording medium 
without impairing the quality of sound or the quality of image, which enables a large number of reproductions to be 
made, contributing to literary piracy. 

In summary, when the data is copied from a digital recording medium, the data can be copied with the sound quality 
15 and picture quality of the master remaining unchanged, or without the deterioration of sound quality or picture quality. 
This has caused the problem of permitting the wrongful conduct of making unauthorized copies of the original and 
selling them without paying a royalty. 

Accordingly, it is an object of the present invention to provide an enciphering method, deciphering method, record- 
ing and reproducing device, deciphering device, deciphering unit device, recording medium, recording-medium man- 
20 ufacturing method, and key control method which are for preventing an unauthorized copy of digital recording mediums. 

According to one aspect of the present invention, there is provided an enciphering method comprising the steps 
of: enciphering data with a first key; and enciphering the first key with each of a plurality of predetermined second keys. 

According to another aspect of the present invention, there is provided a recording medium having information 
items recorded thereon, the information items comprising: first information obtained by enciphering data with a first 
25 key; and second information obtained by enciphering the first key with each of a plurality of predetermined second keys. 

According to another aspect of the present invention, there is provided a recording medium manufacturing method 
comprising the steps of: obtaining first information by enciphering data with a first key; obtaining second information 
obtained by enciphering the first key with each of a plurality of predetermined second keys; and recording the first and 
second information on the same recording medium. 
30 According to another aspect of the present invention, there is provided a deciphering method comprising the steps 

of: inputting first information obtained by enciphering data with a first key and second information obtained by enci- 
phering the first key with each of a plurality of predetermined second keys; deciphering the first key using at least one 
of the second keys to obtain the first key; determining by a specific method whether or not the obtained first key is 
correct; and deciphering the data using the first key after the determination to obtain the data. 
35 According to another aspect of the present invention, there is provided a deciphering device comprising: input 

means for inputting first information obtained by enciphering data with a first key and second information obtained by 
enciphering the first key with each of a plurality of predetermined second keys; storage means for storing at least one 
of the second keys; and deciphering means for deciphering the first key from the second information inputted from the 
input means using at least one of the second keys in the storage means, determining by a specific method whether or 
40 not the obtained first key is correct, and deciphering the data from the first information using the first key after the 
determination to obtain the data. 

According to another aspect of the present invention, there is provided a recording and reproducing device com- 
prising: reading means for reading first information and second information from a recording medium on which the first 
information obtained by enciphering data with a first key and the second information obtained by enciphering the first 
^5 key with each of a plurality of predetermined second keys have been stored; storage means for storing at least one of 
the second keys; and deciphering means for deciphering the first key from the second information read by the reading 
means using at least one of the second keys in the storage means, determining by a specific method whether or not 
the obtained first key is correct, and deciphering the data from the first information using the first key after the deter- 
mination to obtain the data. 

50 According to another aspect of the present invention, there is provided a key control method comprising the steps 

of: causing a first caretaker to take custody of a plurality of predetermined second keys; causing a second caretaker 
to take custody of first information obtained by enciphering data with a first key and second information obtained by 
enciphering the first key with each of the predetermined second keys; and causing a third caretaker to take custody 
of at least one of the second keys. 

55 According to another aspect of the present invention, there is provided a deciphering device comprising: reading 

means for reading first information, second information, and third information from a recording medium on which the 
first information obtained by enciphering data with a first key, the second information obtained by enciphering the first 
key with each of a plurality of predetermined second keys, and the third information used for key determination have 
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been stored; storage means for storing at least one of the second keys; first deciphering means for deciphering one 
of the enciphered first keys selected in the order determined from the second information using one second key selected 
in the order determined from the second keys stored in the storage means, determining on the basis of the deciphering 
result and the third information whether or not the first key obtained by the deciphering is correct, and repeating the 
s selection and the determination until the first key determined to be correct has been obtained; and second deciphering 
means for deciphering the data from the first information using the first key the first deciphering means has determined 
to be correct. 

According to another aspect of the present invention, there is provided a deciphering device comprising: a first 
unit built in a driving unit of a recording medium or connected to the driving unit of the recording medium without the 

w CPU bus of a computer, including: means for transferring first information obtained by enciphering the data read from 
the recording medium with a first key, second information obtained by enciphering the first key with each of a plurality 
of predetermined second keys, and third information used for key determination in such a manner that at least the 
second information and third information are transferred safely without being externally acquired; and a second unit 
connected to the first unit via the CPU bus of the computer including: means for receiving the first information, second 

is information, and third information from the first unit via the CPU bus of the computer in such a manner that at least the 
second information and third information are received safely without being externally acquired; storage means for 
storing at least one of the second keys; first deciphering means for deciphering one of the enciphered first keys selected 
in the order determined from the second information using one second key selected in the order determined from the 
second keys stored in the storage means, determining on the basis of the deciphering result and the third information 

20 whether or not the first key obtained by the deciphering is correct, and repeating the selection and the determination 
until the first key determined to be correct has been obtained; and second deciphering means for deciphering the data 
from the first information using the first key the first deciphering means has determined to be correct. 

According to another aspect of the present invention, there is provided a deciphering device comprising: reading 
means for reading first information, second information, third information, and fourth information from a recording me- 

25 dium on which the first information obtained by enciphering a third key with a first key, the second information obtained 
by enciphering the first key with each of a plurality of predetermined second keys, the third information used for key 
determination, and the fourth information obtained by enciphering data with the third key have been stored; storage 
means for storing at least one of the second keys; first deciphering means for deciphering one of the enciphered first 
keys selected in the order determined from the second information using one second key selected in the order deter- 

30 mined from the second keys stored in the storage means, determining on the basis of the deciphering result and the 
third information whether or not the first key obtained by the deciphering is correct, and repeating the selection and 
the determination until the first key determined to be correct has been obtained; second deciphering means for deci- 
phering the third key from the first information using the first key the first deciphering means has determined to be 
correct; and third deciphering means for deciphering the data from the fourth information using the third key obtained 

35 by the second deciphering means. 

According to another aspect of the present invention, there is provided a deciphering method comprising the steps 
of: reading first information, second information, and third information from a recording medium on which the first 
information obtained by enciphering data with a first key, the second information obtained by enciphering the first key 
with each of a plurality of predetermined second keys, and the third information used for key determination have been 

40 stored; deciphering one of the enciphered first keys selected in the order determined from the second information using 
one second key selected in the order determined from the second keys, determining on the basis of the deciphering 
result and the third information whether or not the first key obtained by the deciphering is correct, and repeating the 
selection and the determination until the first key determined to be correct has been obtained; and deciphering the 
data from the first information using the first key determined to be correct. 

45 According to another aspect of the present invention, there is provided a deciphering method comprising the steps 

of: transferring first information obtained by enciphering the data read from a recording medium with a first key, second 
information obtained by enciphering the first key with each of a plurality of predetermined second keys, and third 
information used for key determination from a first unit built in a driving unit of the recording medium or connected to 
the driving unit of the recording medium without the CPU bus of a computer to a second unit via the CPU bus of the 

50 computer in such a manner that at least the second information and third information are transferred safely without 
being externally acquired; and in the second unit, deciphering one of the enciphered first keys selected in the order 
determined from the second information using one second key selected in the order determined from the second keys 
stored in the storage means, determining on the basis of the deciphering result and the third information whether or 
not the first key obtained by the deciphering is correct, repeating the selection and the determination until the first key 

55 determined to be correct has been obtained, and deciphering the data using the first key determined to be correct. 

According to another aspect of the present invention, there is provided a deciphering method comprising the steps 
of: reading first information, second information, third information, and fourth information from a recording medium on 
which the first information obtained by enciphering at least a third key with a first key, the second information obtained 
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by enciphering the first key with each of a plurality of predetermined second keys, the third information used for key 
determination, and the fourth information obtained by enciphering data with the third key have been stored; deciphering 
one of the enciphered first keys selected in the order determined from the second information using one second key 
selected in the order determined from the second keys, determining on the basis of the deciphering result and the third 
s information whether or not the first key obtained by the deciphering is correct, and repeating the selection and the 
determination until the first key determined to be correct has been obtained; deciphering the third key from the first 
information using the first key determined to be correct; and deciphering the data from the fourth information using the 
third key obtained. 

According to another aspect of the present invention, there is provided a deciphering unit device that receives 
10 information via the CPU bus of a computer from a bus transfer unit buift in a driving unit of a recording medium or 
connected to the driving unit of the recording medium without the CPU bus of the computer and deciphers data on the 
basis of the information, the deciphering unit device comprising: means for receiving first information obtained by 
enciphering the data read from the recording medium with a first key, second information obtained by enciphering the 
first key with each of a plurality of predetermined second keys, and third information used for key determination from 
is the bus transfer unit via the CPU bus of the computer in such a manner that at least the second information and third 
information are received safely without being externally acquired; storage means for storing at least one of the second 
keys; first deciphering means for deciphering one of the enciphered first keys selected in the order determined from 
the second information using one second key selected in the order determined from the second keys stored in the 
storage means, determining on the basis of the deciphering result and the third information whether or not the first key 
20 obtained by the deciphering is correct, and repeating the selection and the determination until the first key determined 
to be correct has been obtained; and second deciphering means for deciphering the data from the first information 
using the first key the first deciphering means has determined to be correct. 

In each of the above categories, the data may include at least one of key information, documents, sound, images, 
and programs. 

25 with the present invention, only the correct party having at least one of the second keys can get the first key and 

therefore can get the plain data of the data enciphered using the first key. As a result, the wrongful conduct of making 
unauthorized copies and selling the thus copied mediums can be prevented, thereby protecting copyrights. 

Moreover, with the present invention, even if the data flowing over the signal line connecting the enciphering unit 
to the deciphering unit is stored, the stored data cannot be reproduced or used, because the data is the enciphered 
30 data. In addition, because the information necessary for enciphering the data is created on the basis of, for example, 
random numbers, and cannot be reproduced later, the stored data cannot be reproduced or used, even if the second 
key (master key) in the deciphering unit has been broken. As a result, the wrongful conduct of making unauthorized 
copies and selling the thus copied mediums can be prevented, thereby protecting copyrights. 

Still furthermore, with the present invention, because the enciphering unit and deciphering unit can be designed 
35 separately from the essential portion of the reproducing section of the digital recording and reproducing apparatus, 
even if the cipher is broken, the enciphering unit and deciphering unit have only to be replaced to overcome this problem. 

This invention can be more fully understood from the following detailed description when taken in conjunction with 
the accompanying drawings, in which: 

FIG. 1 is a block diagram of a system according to a first embodiment of the present invention; 
FIG. 2 is a flowchart for the operation of the first embodiment; 

FIG. 3 illustrates an example of a format in which the enciphered key and the enciphered data are stored on a 
recording medium; 

FIG. 4 is a diagram to help explain a case where the data is stored from the CPU BUS; 
45 FIG. 5 is a block diagram of a system according to a second embodiment of the present invention; 

FIGS. 6A and 6B show examples of the internal structure of the key judging section; 
FIG. 7 is a flowchart for the operation of the second embodiment; 
FIG. 8 is a flowchart for the operation of the second embodiment; 

FIG. 9 is a block diagram of a system according to a third embodiment of the present invention; 
so FIG. 10 is a flowchart for the operation of the third embodiment; 

FIG. 11 is a diagram to help explain the key control method; and 
FIG. 12 is a diagram to help explain the enciphering operation 

Hereinafter, referring to the accompanying drawings, embodiments of the present invention will be explained. 
55 in the embodiments, the operation of enciphering a certain data item a using key K is expressed as E K (a) and the 

operation of deciphering a certain data item a using key K is expressed as D K (a). By this way of expression, the 
operation of enciphering and deciphering a certain data item a using key K is expressed as Dk(E K (a)), for example. 

In the embodiments, there is a case where a certain data item is first deciphered and then the deciphered data 



4 



# • 



EP 0 817 185 A2 

item is enciphered to restore the original data item. This is based on the fact that the deciphering of the data has the 
same function as the enciphering of the data. Specifically, to return the enciphered data to the original data, the key 
used for deciphering must be known. Once the key is known, enciphering the deciphered data produces the original 
data that was first deciphered. If the cipher key is x and the data item is y, the operation will be expressed as: 

5 

E x (D x (y)) = y 

In the embodiments, explanation will be given using an example of a system that reads the image data compressed 
70 and enciphered according to the MPEG 2 data compression standard from a DVD and enciphers, decodes, and re- 
produce the read-out data. 

(First Embodiment) 

is Hereinafter, a first embodiment of the present invention will be explained. 

FIG. 1 is a block diagram of a system according to a first embodiment of the present invention. FIG. 2 is a flowchart 
for the operation of the first embodiment. 

The system related to the first embodiment is connected to the CPU BUS of the CPU (not shown) used for repro- 
duction in a computer, such as a personal computer. The system is designed to allow the enciphered data (E SK (Data) 
20 explained later) to flow over the CPU BUS. FIG. 1 shows only the sections related to the CPU used for reproduction. 

As shown in FIG. 1 , the system of the first embodiment comprises a DVD driving unit (not shown) that reads the 
data from a DVD 101, an enciphering unit 107 that is connected to the DVD driving unit without the CPU BUS or is 
built in the DVD driving unit, and a deciphering unit 114. 

The enciphering unit 107 and deciphering unit 114 are connected to the CPU BUS 110. The deciphering unit 114 
25 outputs the data via, for example, an I/O port, not via the CPU BUS. That is, in the embodiment, the input and output 
of the data is carried out without the CPU BUS, whereas the CPU BUS is used for the data transfer between the 
enciphering unit 107 and the deciphering unit 114. 

The enciphering unit 107 includes a demodulation/ error correction circuit 117, a demodulation/error correction 
circuit 118, and an enciphering circuit 104. Although in FIG. 1, the enciphering unit 107 has two enciphering circuits 
30 104, it is assumed that it actually has one enciphering circuit. The enciphering unit 107 is assumed to be composed 
of a single independent IC chip. The demodulation/error correction circuit 117 and demodulation/error correction circuit 
118 may be provided in the unit (the DVD driving unit) in the preceding stage, not in the enciphering unit 107. 

The deciphering unit 114 includes a deciphering circuit 112 and a session key creation circuit 111 that creates a 
second session key S K '. In the embodiment, the deciphering unit 114 is assumed to include an MPEG decoder circuit 
35 115 and a converter circuit 116 that converts the digital enciphered image data into analog data. Although in FIG. 1, 
the deciphering unit 114 has four deciphering circuits 112, it is assumed that it actually has one deciphering circuit. 
The deciphering unit 114 is assumed to be composed of a single independent IC chip. 

In each of the enciphering unit 107 and deciphering unit 114, a master key, explained later, has been registered. 
It is assumed that the master key has been recorded in a secret area in each of the enciphering unit chip and the 
deciphering unit chip so that the user cannot externally take out the master key. 

A control section (not shown) is assumed to control the entire system. The control section is realized by, for example, 
executing a program on the CPU in the computer. Concrete examples of control by the control section include an 
instruction to read the data from a DVD, the specification of data transfer destination, and an instruction to output the 
data from the deciphering unit 114. The control section may be triggered, for example, by the user via a user interface, 
45 or by a process in an application program. 

In the first embodiment, a first session key is represented by S K , a second session key S K ', the master key M K , 
and image data (i.e., the data to be enciphered) Data. 

In FIG. 1, numeral 102 indicates E MK (S K ) created by enciphering the first session key S K using the master key 
M K , 103 E SK (Data) created by enciphering the image data Data using the first session key S K , 105 the master key M K , 
50 106 a second session key S K ', 108 D MK (S K ') created by deciphering the second session key S K * using the master key 
M K , 109 E SK '(E MK (S K )) created by enciphering the first session key E MK (S K ) enciphered with the master key M K using 
the second session key S K \ and 113 the first session key S K . 

As shown in FIG. 3, it is assumed that on the DVD 101, E MK (S K ) created by enciphering the first session key S K 
using the master key M K is recorded in the key recording area (lead-in area) in the innermost circumference portion 
55 and the E SK (Data) created by enciphering the image data Data using the first session key Sk is recorded in the data 
recording area (data area). 

Hereinafter, the operation of the first embodiment will be explained by reference to the flowchart of FIG. 2. 

At step S1 , the first session key E MK (S K ) enciphered using the master key M K is read from the DVD 1 01 , on which 
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the DVD driving unit (not shown) has recorded the first session key, and then is loaded into the enciphering unit 107. 
At that time, the demodulation/error correction circuit 1 1 7 performs demodulation and data error correction. 

At step S2, in the deciphering unit 114, the session key creation circuit 111 creates a second session key S K ' using 
random numbers, such as time data from a clock (not shown). Then, the deciphering circuit 112 deciphers the created 
5 second session key S K * using the master key M K to create D MK (S K ') and sends it to the enciphering unit 107 via the 
CPU BUS 110. 

As the timing of generating random numbers (e.g., the timing of inputting time information), for example, the timing 
with which the signal indicating that the DVD 101 has been loaded into the DVD driving unit is asserted may be used. 

The session creation circuit 111 may be composed of a random-number generator that is as long as the key. When 
10 a key is created using random numbers all of whose bits may take 0s or Is, it is necessary to perform a check process 
to prevent all of the bits from taking 0s or 1s. 

At step S3, using the master key M K , the enciphering circuit 104 of the enciphering unit 107 enciphers D MK (S K ') 
received via the CPU BUS 110. 

Namely, from E MK (D MK (S K ')) = S K ' 
is a second session key S K ' created at the session key creation circuit 111 of the deciphering unit 114 can be 

obtained. 

The second session key S K ' created at the session key creation circuit 1 11 is designed to prevent its contents from 
being known even if it is stolen on the CPU BUS 110. 

Then, at step S4, using the second session key S K \ the enciphering unit 1 07 enciphers the enciphered first session 
20 key E MK (S K ) recorded on the DVD 101 to create E SK '(E MK (S K )), and sends this to deciphering unit 114. 

Then, at step S5, the deciphering circuit 112 of the deciphering unit 114 deciphers E SK '(E MK (S K )) received via the 
CPU BUS 110 using the second session key S K ' and produces: 

25 D SK '(E SK '(E MK (SK)))=E MK (S K ) 

Furthermore, E MK (S K ) obtained at the deciphering circuit 112 is deciphered using the master key M K to produce: 

30 °mk( e mk( s k)) = S K 

Thus, this gives the first session key S K . 

After the first session key S K has been obtained as described above, at step S6, the image data E SK (Data) enci- 
phered using the first session key S K recorded on the DVD 101 by the DVD driving unit (not shown) is read out and 
35 loaded into the enciphering unit 1 07. At that time, the demodulation/error correction circuit 1 1 8 performs demodulation 
and corrects errors in the data. Then, E SK (Data) is sent to the enciphering unit 107 via the CPU BUS 110. 

At step S7, the deciphering circuit 112 of the deciphering unit 11 4 deciphers E SK (Data) received via the CPU BUS 
110 using the first session key S K and produces: 

D SK (E SK (Data) = Data 

Then, the enciphered image data is deciphered to produce Data. 

Then, step S6 and step S7 are repeated until for example, the process of the data to be deciphered (i.e., E SK 
45 (Data)) has been completed or the stop of the process has been requested. 

When the image data Data thus obtained has been compressed according to, for example, the MPEG2 data com- 
pression standard, the image data is decoded at an MPEG decoder circuit 115. After the decoded signal has been 
converted by a D/A converter circuit 116 into an analog signal, the analog signal is sent to an imaging device (not 
shown), such as a television, which reproduces the image. 
so step 1 may be executed before or after step S2 and step S3. 

Step S6 and step S7 may be executed by the method of carrying out the steps in units of E SK (Data), the method 
of reading a specific number of E SK (Data) at step S6, storing the read-out data in a buffer temporarily, and then deci- 
phering E SK (Data) in the buffer at step S7, or the method of carrying out step S6 and step S7 in a pipeline processing 
manner. 

55 Moreover, the deciphering circuit 112 may transfer the image data E SK (Data) to the MPEG decoder circuit 115 in 

units of one Data item or a specific number of Data items. 

As described above, with the first embodiment, when the data is reproduced from a medium on which the digitized 
data has been enciphered and recorded (when the enciphered data is deciphered), the deciphered data is prevented 
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from flowing over the CPU BUS of the computer and the second session key S K ' used to encipher the first session key 
necessary for deciphering the enciphered data flowing over the CPU BUS is created on the basis of information that 
changes each time the data is reproduced, such as time information. Therefore, even when the data flowing over the 
CPU BUS 110 is stored from signal lines 210 into a digital storage medium 211 as shown in FIG. 4, the data cannot 
s be reproduced of used. 

As a result, the wrongful conduct of making unauthorized copies and selling the thus copied mediums can be 
prevented, thereby protecting copyrights. 

Furthermore, with the embodiment, as seen from FIG. 1 , because the circuits used for enciphering and deciphering 
can be designed separately from the essential portion of the reproducing section of the digital recording and reproducing 
10 apparatus, such as a DVD, even if the cipher is broken, the deciphering unit 114 (or the enciphering unit 107 and 
deciphering unit 114) has only to be replaced to overcome this problem. 

While in the first embodiment, the enciphering unit 107 has one enciphering circuit, it may have two enciphering 
circuits. Moreover, although in the embodiment, the deciphering unit 114 has one deciphering circuit, it may have two, 
three, or four deciphering circuits. In these cases, it is desirable that the enciphering circuits should be paired with the 
is corresponding deciphering circuits and each pair be used independently or in a shared manner. 

When a set of an enciphering circuit and the corresponding deciphering circuit is used independently, an encipher- 
ing method different from that in another enciphering circuit and deciphering circuit may be used in the enciphering 
circuit and its corresponding deciphering circuit in the independent set. 

20 (Second Embodiment) 

Hereinafter, a second embodiment of the present invention will be explained. 

What will be explained in the second embodiment is an example suitable for a case where a plurality of predeter- 
mined master keys are prepared and one or more of them are allocated to deciphering unit makers (or DVD makers 
25 and distributors) 

FIG. 5 is a block diagram of the system according to the second embodiment of the present invention. An example 
of the operation of the second embodiment is shown in the flowchart of FIGS. 7 and 8. 

The system related to the second embodiment is connected to the CPU BUS of the CPU (not shown) used for 
reproduction in a computer, such as a personal computer. The system is designed to allow the enciphered data (E SK 
30 (Data)) to flow over the CPU BUS. FIG. 5 shows only the sections related to the CPU used for reproduction. 

As shown in FIG. 5, the system of the second embodiment comprises a DVD driving unit (not shown) that reads 
the data from a DVD 101 , an enciphering unit 107 that is connected to the DVD driving unit without the CPU BUS or 
is built in the DVD driving unit, and a deciphering unit 114a. 

The enciphering unit 107 and deciphering unit 11 4a are connected to the CPU BUS 110. The deciphering unit 114a 
35 outputs the data via, for example, an I/O port, not via the CPU BUS. That is, in the second embodiment, the input and 
output of the data is carried out without the CPU BUS, whereas the CPU BUS is used for the data transfer between 
the enciphering unit 107 and the deciphering unit 114a. 

The enciphering unit 107 includes a demodulation/ error correction circuit 117, a demodulation/error correction 
circuit 118, and an enciphering circuit 104. Although in FIG. 5, the enciphering unit 107 has two enciphering circuits 
40 104, it is assumed that it actually has one enciphering circuit. The enciphering unit 107 is assumed to be composed 
of a single independent IC chip. The demodulation/error correction circuit 117 and demodulation/error correction circuit 
118 may be provided in the unit (the DVD driving unit) in the preceding stage, not in the enciphering unit 107. 

The deciphering unit 114a includes a deciphering circuit 112 and a session key creation circuit 111 that creates a 
second session key S K \ and a key judging circuit 120. 
45 FIGS. 6A and 6B show examples of the structure of the key judging circuit 1 20. The key judging circuit 1 20 includes 

a deciphering circuit 112, a comparison circuit 121, and a gate circuit 122. In the second embodiment, it is assumed 
that the deciphering unit 114a incorporates an MPEG decoder circuit 115 and a conversion circuit 116 that converts 
the deciphered digital image data into analog image data. 

Although in FIG. 5 and FIGS. 6A and 6B, the deciphering unit 114a has a total of five deciphering circuits 112, 
50 including the two deciphering circuits 112 in the key judging circuit 120, it is assumed that it actually has one deciphering 
circuit. 

The deciphering unit 114a is composed of a single independent IC chip. 

In each of the enciphering unit 107 and deciphering unit 114a, master keys, explained later, have been registered. 
It is assumed that the master keys have been recorded in a secret area in each of the enciphering unit chip and the 
55 deciphering unit chip so that the user cannot externally take out the master keys. 

A control section (not shown) is assumed to control the entire system. The control section is realized by, for example, 
executing a program on the CPU in the computer. Concrete examples of control by the control section include an 
instruction to read the data from a DVD, the specification of data transfer destination, and an instruction to output the 
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data from the deciphering unit 114a. The control section may be triggered, for example, by the user via a user interface, 
or by a process in an application program. 

In the second embodiment, there are an n number of types of master keys. A first session key is represented by 
S K , a second session key S K \ the n-th master key M Kt (t s in the range of 1 ton), and image data (i.e., the data to be 
5 enciphered) Data. 

In FIG. 5, numeral 102-1 indicates E MKi (S K ) created by enciphering the first session key ^ using the master key 
M Kj , 102-2 E SK (S K ) created by enciphering the first session key S K using the first session key S K itself, 103 E SK (Data) 
created by enciphering the image data Data using the first session key S K , 105 the master key M Ki , 106 a second 
session key S K \ 108 D MK j(SK) created by deciphering the second session key S K ' using the master key M Kj , 109-1 
10 E SK '(E MKj (S K )) created by enciphering the first session key E MKj (S K ) enciphered with the master key M Ki using the 
second session key S K \ 109-2 E SK '(E SK (S K )) created by enciphering the first session key E SK (S K ) enciphered with the 
first session key S K itself using the second session key S K ' and 113 the first session key S K . 

Several methods can be considered as to how to set the number of types of E MKI (S K ) created by enciphering the 
first session key S K recorded on the DVD 101 using the master key M w and how to set the number of types of master 
15 key M K j the deciphering unit 114a has in it. For example, they are as follows. 

(Method 1 ) One master key E MKj (S K ) (i is in the range of 1 to n) is recorded on the DVD 101 . The deciphering unit 
114a has an n number of master keys M^ (j = 1 to n) in it. 

(Method 2) An n number of master keys E MKi (S K ) (i = 1 to n) are recorded on the DVD 101. The deciphering unit 
114a has one master key M Ki (j is in the range of 1 to n) in it. 
so (Method 3) This is an expansion of Method 2. An n number of master keys E MKi (S K ) (i = 1 to n) are recorded on 

the DVD 101. The deciphering unit 114a has an m (2 < m < n) number of master keys M Kj (j = 1 to n) in it. The m 
number of master keys have been selected from the n number of master keys beforehand. 

As a concrete example, n = 1 00 or n = 400 and m = 2, 3, 4, or 1 0. The present invention is not limited to these values. 

(Method 4) This is the reverse of Method 3. An m (2 < m < n) number of master keys E MKi (S K ) (i = 1 to n) are 
25 recorded on the DVD 101 . The m number of master keys have been selected from an n number of master keys M^ (j 
= 1 to n) beforehand. The deciphering unit 114a has an n number of master keys M Kj (j = 1 to n) in it. 

(Method 5) An n number of master keys E MKI (S K ) (i = 1 to n) are recorded on the DVD 101. The deciphering unit 
114a has an n number of master key M^ G = 1 to n) in it. 

Method 3 to Method 5 have the same deciphering procedure. 
30 As shown in FIG. 3, it is assumed that on the DVD 101, one (in the case of Method 1) or more (in the case of 

Method 2 to Method 5) E MKi (S K ) created by enciphering the first session key S K using the master key M Ki are recorded 
in the key recording area (lead-in area) in the innermost circumference portion and E SK (Data) created by enciphering 
the image data Data using the first session key S K is recorded in the data recording area (data area). 

It is assumed that an n number of master keys M K j (in the case of Method 1, Method 4, or Method 5), one master 
35 key M Kj (in the case of Method 2), or an m number of master keys M Kj (in the case of Method 3) have been registered 
in the deciphering unit 114a. 

A predetermined master key is assumed to have been registered in the deciphering unit 107. 

Hereinafter, Method 1 , Method 2, and Method 3 to Method 5 will be explained in that order. 

First, the operation of the second embodiment in the case of Method 1 will be explained by reference to the flow- 
40 charts of FIGS. 7 and 8. 

At step S11, the first session key E SK (S K ) enciphered using the first session key S K itself is read from the DVD 
1 01 , on which the DVD driving unit (not shown) has recorded the first session key, and then is loaded into the enciphering 
unit 107. At that time, the demodulation/error correction circuit 117 performs demodulation and data error correction. 

At step S1 2, the first session key E MKi (S K ) (i in the range of 1 to n, where i is unknown here) enciphered using the 
45 master key M Ki is read from the DVD 101, on which the DVD driving unit (not shown) has recorded the master key, 
and then is loaded into the enciphering unit 107. At that time, the demodulation/ error correction circuit 117 performs 
demodulation and data error correction. 

At step S1 3, the session key creation circuit 1 1 1 of the deciphering unit 1 1 4 creates a second session key S K ' using 
random numbers, such as time data from a clock (not shown). Then, the deciphering circuit 112 deciphers the created 
so second session key S K ' using the master key M^ (j is in the range of 1 to n, where j is predetermined) to create D MK j 
(S K ') and sends it to the enciphering unit 107 via the CPU BUS 110. 

As the timing of generating random numbers (e.g., the timing of inputting time information), for example, the timing 
with which the signal indicating that the DVD 101 has been loaded into the DVD driving unit is asserted may be used. 

The session creation circuit 111 may be composed of a random-number generator that is as long as the key, for 
ss example. When a key is created using random numbers all of whose bits may take 0s or Is, it is necessary to perform 
a check process to prevent ail of the bits from taking 0s or 1s. 

At step S14, using the master key M KJ (j has a predetermined value in the range of 1 to n), the enciphering circuit 
104 of the enciphering unit 107 enciphers D MKj (S K ') received via the CPU BUS 110. 
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Namely, from E M Kj( D MKj(S K ')) = S K ' 
a second session key S K ' created at the session key creation circuit 111 of the deciphering unit 114a can be 
obtained. 

The second session key S K * created at the session key creation circuit 111 is designed to prevent its contents from 
s being known even if it is stolen on the CPU BUS 110. 

Then, at step S15, using the thus obtained second session key S K ', the enciphering unit 107 enciphers the enci- 
phered first session key E SK (S K ) recorded on the DVD 101 to create E SK '(E SK (S K )), and sends this to deciphering unit 
114a in via CPU BUS 110. 

Similarly, at step S16, using the thus obtained second session key S K \ the enciphering unit 107 enciphers the 
io enciphered first session key E MKi (S K ) recorded on the DVD 1 01 to create E SK '(E MKi (S K )), and sends this to deciphering 
unit 114a. 

Then, at step S17, the deciphering circuit 112 of the deciphering unit 114a deciphers Esk'( e sk( s k)) received via 
the CPU BUS 110 using the second session key S^ and produces: 

5 d sk , (E S k , (Esk(Sk))) = E S k(Sk) 

Similarly, at step S18, the deciphering circuit 112 of the deciphering unit 114a deciphers E SK '(E MKj (S K )) received 
via the CPU BUS 110 using the second session key S K ' and produces: 

20 

D SK ( E SK ( E MKi( S K)))= E MKi( S K) 

Because the master key M Ki used in creating E MKi (S K ) is unknown, the first session key S K is found using the key 
25 judging circuit 1 20 as follows. 

First, the principle of the key judging process will be explained. 

When E MKj (S K ) is deciphered using all of the master keys M Kj (j = 1 to n), this gives: 

30 S Kij= D MKj( E MKi( S K))(j=1tOn) 

Of these, one S Kij (j = 1 to n) is the first session key SK. 

Using the E SK (S K ), it is determined which one of the created S^ (j = 1 to n) is the first session key S K . 

Then, when E SK (S K ) is deciphered using all of the candidates S^ (j = 1 to n) of the first session key, this gives: 

35 

VO' i)= D SKij( E SK( S K)> 

Here, when the same master key M K j as the master key M Kj used in creating E MKj (S K ) is used in the deciphering 
40 unit, or when i = j, this gives S K '(i, j) = S K y = S K 

Therefore, when a check is made to see if S K "(i, j) = S Kjj (j = 1 to n) holds for each S Kl j (j = 1 to n), this gives S Ki j 
that meets S K "(i, j) = S Kii (j = 1 to n) as the first session key S K . The one corresponding to j giving the S Kij is the master 
key used in the present session. 

The operation is expressed in C language notation as follows: 

45 



50 



55 



9 



EP0 817 185 A2 

for (i=l; i<n+l; i++) { 

DSl[i]=DMKt i] (EM Ki (S K ) ) ; 
s DS2[i}=DSK[iJ(E S K(SK))? 

if (DSl[i]==DS2[i] ) 

„ SKl=DS2[i); 

break; 

} 

else EXIT_MISMATCH; 

15 

> 

The second line in the above procedure indicates the operation of deciphering E MKj (S K ) using M Ki and substituting 
the result into DS1[i]. 

20 The third line in the procedure indicates the operation of deciphering E SK (S K ) using S Kj and substituting the result 

intoDS2[i]. 

The fourth line in the procedure indicates the operation of judging whether nor not DS1[i] coincides with DS2[iJ. 
The ninth line in the procedure indicates the operation executed when DS1[i] does not coincide with DS2[i]. 
For example, in FIGS. 6A and 6B, the deciphering circuit 112 in the key judging circuit 1 20 deciphers E MKj (S K ) for 
25 \--\ using master key M K j, giving: 

S Kij ~ D MKj< E MKi( S K)) 

30 Then, the deciphering circuit 112 deciphers E SK (S K ) using S Ki |, giving: 

S K"=DsK,i< E SK( S K» 

35 Next, the comparison circuit 121 compares S K ' with S Kjj . If they coincide with each other, the gate circuit 122 will 

be controlled so as to output the stored S Kjj (FIG. 6A) or S K " (FIG. 6B) as the first session key S K . 

If they do not coincide, j is incremented by one and the same operation will be carried out until the first session 
key S K has been obtained. 

After the first session key S K has been obtained as described above, at step S20, the image data E SK (Data) 
40 enciphered using the first session key S K recorded on the DVD 101 by the DVD driving unit (not shown) is read out 
and loaded into the enciphering unit 107. At that time, the demodulation/error correction circuit 118 performs demod- 
ulation and corrects errors in the data. Then, E SK (Data) is sent to the enciphering unit 107 via the CPU BUS 110. 

At step S21, the deciphering circuit'112 of the deciphering unit 114a deciphers E SK (Data) received via the CPU 
BUS 110 using the first session key S K and produces: 

45 

D SK (E SK (Data) = Data 

Then, the enciphered image data is deciphered to produce Data. 
so Then, step S20 and step S21 are repeated until for example, the process of the data to be deciphered (i.e., E SK 

(Data)) has been completed or the stop of the process has been requested. 

When the image data Data thus obtained has been compressed according to, for example, the MPEG2 data com- 
pression standard, the image data is decoded at an MPEG decoder circuit 115. After the decoded signal has been 
converted by a D/A converter circuit 116 into an analog signal, the analog signal is sent to an imaging device (not 
55 shown), such as a television, which reproduces the image. 

Any one of step S1 1 , step S12, and steps S13 and S4 may be executed first. 
Moreover, either step S15 and step S17 or step S16 and S18 may be executed first. 

Step S20 and step S21 may be executed by the method of carrying out the steps in units of E SK (Data), the method 
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of reading a specific number of E SK (Data) at step S20, storing the read-out data in a buffer temporarily, and then 
deciphering E SK (Data) in the buffer at step S21 , or the method of carrying out step S20 and step S21 in a pipeline 
processing manner. 

Moreover, the deciphering circuit 112 may transfer the image data E SK (Data) to the MPEG decoder circuit 115 in 
s units of one Data item or a specific number of Data items. 

As described above, with the second embodiment, even when the data flowing over the CPU BUS 110 is stored, 
the data cannot be reproduced of used, as in the first embodiment. 

As a result, the wrongful conduct of making unauthorized copies and selling the thus copied mediums can be 
prevented, thereby protecting copyrights. 
10 Furthermore, with the second embodiment, the information that directly indicates the master key used to encipher 

the first session key recorded on the recording medium is not necessary, which enables a suitable master key to be 
selected and used in a predetermined range in recording the data on a DVD. In addition, the second embodiment has 
the advantage that it can allocate master keys in a specific unit, such as a DVD maker or a DVD distributor. 

With the second embodiment, because the circuits used for enciphering and deciphering can be designed sepa- 
15 rately from the essential portion of the reproducing section of the digital recording and reproducing apparatus, such 
as a DVD, even if the cipher is broken, the deciphering unit 114a (or the enciphering unit 107 and deciphering unit 
1 14a) has only to be replaced to overcome this problem. 

While in the second embodiment, the enciphering unit 107 has one enciphering circuit, it may have two enciphering 
circuits. Moreover, although in the embodiment, deciphering unit 114a has one deciphering circuit, it may have two, 
20 three, four, or five deciphering circuits. In these cases, it is desirable that the enciphering circuits should be paired with 
the corresponding deciphering circuits and each pair be used independently. 

When a set of an enciphering circuit and its corresponding deciphering circuit is used independently, an enciphering 
method different from that in another enciphering circuit and deciphering circuit may be used in the enciphering circuit 
and its corresponding deciphering circuit in the independent set. 
25 Next, the operation of the second embodiment in the case of Method 2 where an n number of E MKi (S K ) (i = 1 to 

n) have been recorded on the DVD 101 and the deciphering unit 114a includes one M^ (j has a value in the range of 
1 to n) will be explained by reference to the flowcharts of FIGS. 7 and 8. 

At step S11, the first session key E SK (S K ) enciphered using the first session key itself is read from the DVD 
1 01 , on which the DVD driving unit (not shown) has recorded the first session key, and then is loaded into the enciphering 
30 unit 107. At that time, the demodulation/error correction circuit 117 performs demodulation and data error correction. 

At step S12, the first session key E MKi (S K ) (i = 1 to n) enciphered using the master key M Kj is read from the DVD 
101 , on which the DVD driving unit (not shown) has recorded the master key, and then is loaded into the enciphering 
unit 107. At that time, the demodulation/error correction circuit 117 performs demodulation and data error correction. 
At step S13, the session key creation circuit 111 of deciphering unit 114a creates a second session key S K ' using 
35 random numbers, such as time data from a clock (not shown). Then, the deciphering circuit 112 deciphers the created 
second session key S K ' using the master key M Kj (j has a predetermined value in the range of 1 to n) to create D MK j 
(S K ') and sends it to the enciphering unit 107 via the CPU BUS 110. 

As the timing of generating random numbers (e.g., the timing of inputting time information), for example, the timing 
with which the signal indicating that the DVD 101 has been loaded into the DVD driving unit is asserted may be used. 
40 At step S14, using the master key M KJ (j has a predetermined value in the range of 1 to n), the enciphering circuit 

104 of the enciphering unit 107 enciphers D MKj (S K ') received via the CPU BUS 110. 
Namely, from E^D^S^)) = S K ' 
a second session key S K ' created at the session key creation circuit 111 of the deciphering unit 114a can be 
obtained. 

45 The second session key S K ' created at the session key creation circuit 1 11 is designed to prevent its contents from 

being known even if it is stolen on the CPU BUS 110. 

Then, at step S15, using the thus obtained second session key S K \ the enciphering unit 107 enciphers the enci- 
phered first session key E SK (S K ) recorded on the DVD 101 to create Eg^E^S^), and sends this to deciphering unit 
114a. 

50 Similarly, at step S16, using the thus obtained second session key S K ', the enciphering unit 107 enciphers an n 

number of enciphered first session keys E MKj (S K ) recorded on the DVD 101 to create Esk^m^Sx)), and sends these 
to deciphering unit 114a via the CPU BUS 110. 

Then, at step S17, the deciphering circuit 112 of the deciphering unit 114a deciphers E SK '(E SK (S K )) received via 
the CPU BUS 110 using the second session key S K ' and produces: 

55 

•<E SK - (E SK (S K ))) = E SK (S K ) 
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Similarly, at step S18, the deciphering circuit 112 of the deciphering unit 114a deciphers E SK '(E MKi {S K )) received 
via the CPU BUS 110 using the second session key S K * and produces: 

D SK < E SK ( E MKi( S K)))= E MKi( S K) 

Because the master key M Kj used in creating each of the n number of E WKi (S K ) (i = 1 to n) recorded on the DVD 
101 is unknown, it cannot be known whether the master key M Kt corresponds to the master key M Kj in the deciphering 
unit 114a. At step S1 9, the first session key S K is found using the key judging circuit 120 as follows. 

First, the principle of the key judging process will be explained. 

When all of E MKI (S K ) (i = 1 to n) are deciphered using the master key M^, this gives: 

S Kij = D MK j ( E MKi( S K)) 0=1 ton) 
Of these, one (i is in the range of 1 to n) is the first session key S K . 

Using the E SK (S K ), it is determined which one of the created (i = 1 to n) is the first session key S K . 

Then, when E SK (S K ) is deciphered using all of the candidates S Kij (i = 1 to n) of the first session key, this gives: 

VC i) = D SKij (E SK (S K )) 



Here, when the same master key M Kj as the master key M Ki used in creating E MKj (S K ) is used in the deciphering 
unit, or when i = j, this gives S K m (\, j) - S Kjj = S K . 
25 Therefore, when a check is made to see if S K "(i, j) = S Kij (j = 1 to n) holds for each S Kij (i = 1 to n), this gives 

that meets S K "(i, j) = S Kj j (j = 1 to n) as the first session key S K . The one corresponding to i giving the is the master 
key used in the present session. 

For example, in FIGS. 6A and 6B, the deciphering circuit 11 2 in the key judging circuit 1 20 deciphers E MK j(S K ) for 
i = 1 using master key M K j, giving: 

30 

Then, the deciphering circuit 112 deciphers E SK (S K ) using S^, giving: 

35 

S K '= D SKii( E SK< S K>) * 



Next, the comparison circuit 121 compares S K " with S Kjj . If they coincide with each other, the gate circuit 122 will 
40 be controlled so as to output the stored S Ki j (FIG. 6A) or S K " (FIG. 6B) as the first session key S K . 

If they do not coincide, i is incremented by one and the same operation will be carried. This will be continued until 
the first session key S K has been obtained. 

After the first session key S K has been obtained as described above, at steps S20 to S22, the image data Data is 
extracted from the image data E SK (Data) enciphered using the first session key S K . 
45 As described earlier, the image data Data is decoded at the MPEG decoder circuit 115. After the decoded signal 

has been converted by the D/A converter circuit 116 into an analog signal, the analog signal is sent to the imaging 
device (not shown), such as a television, which reproduces the image. 

In Method 2, too, any one of step S11 , step S12, and step S13 and step S14 may be executed first. 

Moreover, either step S1 5 and step S1 7 or step S16 and S18 may be executed first. 
50 Furthermore, steps S1 2, S16, S18, and S1 9 may be executed in a batch processing manner using all the n number 

of (enciphered) master keys recorded on the DVD or using a specific number of master keys at a time. They may be 
executed one after another for each master key. 

When they are executed sequentially every third master key, the second session key S K ' may be created for each 
master key. 

55 Step S20 and step S21 may be executed by the method of carrying out the steps in units of E SK (Data), the method 

of reading a specific number of E SK (Data) at step S20, storing the read-out data in a buffer temporarily, and then 
deciphering E SK (Data) in the buffer at step S21, or the method of carrying out step S20 and step S21 in a pipeline 
processing manner. 
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Moreover, the deciphering unit 114a may transfer the image data E SK (Data) to the MPEG decoder circuit 115 in 
units of one Data item or a specific number of Data items. 

As described above, with the second embodiment, even when the data flowing over the CPU BUS 110 is stored, 
the data cannot be reproduced or used, as in the first embodiment. 
s As a result, the wrongful conduct of making unauthorized copies and selling the thus copied mediums can be 

prevented, thereby protecting copyrights. 

Furthermore, with the second embodiment, because the first session keys enciphered using more than one master 
key and the first session key enciphered with the first session key itself are stored on the recording medium, the master 
keys built in the deciphering unit can be allocated in a specific unit, such as to each unit manufacturer. 
10 With the second embodiment, because the circuits used for enciphering and deciphering can be designed sepa- 

rately from the essential portion of the reproducing section of the digital recording and reproducing apparatus, such 
as a DVD, as seen from FIG. 1 , even if the cipher is broken, the deciphering unit 114b (or the enciphering unit 107 and 
deciphering unit 114b) has only to be replaced to overcome this problem. 

While in the second embodiment, the enciphering unit 107 has one enciphering circuit, it may have two enciphering 
15 circuits. Moreover, although in the embodiment, the deciphering unit 11 4a has one deciphering circuit, it may have two, 
three, four, or five deciphering circuits. In these cases, it is desirable that the enciphering circuits should be paired with 
the corresponding deciphering circuits and each pair be used independently or be shared. 

When a set of an enciphering circuit and its corresponding deciphering circuit is used independently, an enciphering 
method different from that in another enciphering circuit and deciphering circuit may be used in the enciphering circuit 
20 and its corresponding deciphering circuit in the independent set. 

Next, explanation will be given about Method 3 where an n number of E MKj (S K ) (i = 1 to n) have been recorded on 
the DVD 101 and the deciphering unit 114a includes an m number of M K j(j takes m values in the range of 1 ton(m<n)). 

Since Method 3 is the same as Method 2 in basic configuration, operation, and effect, only the difference between 
them will be explained. 

25 While in Method 2, the deciphering unit 114a includes one predetermined master key M K j (j has a value in the 

range of 1 to n), in Method 3, the deciphering unit 114a includes an m number of predetermined master keys M^ (m 
^ 2). The order in which the m number of master keys M^ (j takes m values in the range of 1 to n) are used in the key 
judgment has been determined. 

Because an n number of E MKj (S K ) (i = 1 to n) have been recorded on the DVD 101, using the master key first in 

30 order of use in the deciphering unit 114b produces the first session key S K . Therefore, in this case, the operation is 
the same as in Method 2. 

With Method 3, if one of the master keys is broken, the master key is made unusable. From this time on, E MKi (S K ) 
corresponding to the unusable master key is not allowed to be recorded on the DVD 101 . This case will be explained 
below. 

35 When the unusable master key is not the master key first in order of use, the first session key S K can be obtained. 

In this case, too, the operation is the same as in Method 2. 

When the master key first in order of use is made unusable, E MKi (S K ) corresponding to the unusable master key 

has not been recorded on the DVD 101 . Even if the master key first in order of use is used, the first session key Sk 

cannot be obtained in step S19. In such a case, when the deciphering unit 114a carries out the same operation using 
40 the master key second in order of use as in Method 2, this produces the first session key S^ provided that this master 

key is not unusable. 

Even when the master key r-th in order of use is made unusable, the first session key S K can be obtained similarly, 
provided that one of the master keys (r + 1 )-th or later in order of use is not unusable. 

In this way, the deciphering unit 114a can be used until the predetermined m number of master keys (m ^ 2) in 
45 the deciphering unit 114a have all been made unusable. 

The operation of Method 5 is the same as that of Method 3. 

Because in Method 4, the information corresponding to all the master keys has not been stored on the DVD 101, 
when the information corresponding to the master key selected in the deciphering unit has not been recorded on the 
DVD 101, deciphering cannot be effected as in the case where the master key is unusable. In this case, the master 
50 key next in order of use is selected and deciphering is tried. Therefore, the operation of Method 4 is also the same as 
that of Method 3. 

In the embodiment, to encipher the information and transfer it safely over the CPU BUS 110, the second session 
key S K ' has been used. The second session key S K ' is created in the deciphering unit 114a and is transferred to the 
enciphering unit 107 through the procedure of using master keys. At that time, one predetermined master key is sup- 
55 posed to have been registered in the enciphering unit 107. 

Instead, a plurality of master keys may be registered in the enciphering unit 107 and the second session key 
may be transferred from the deciphering unit 114a to the enciphering unit 107, using the procedure as described in 
Method 1 to Method 5 using key judgment. 
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For example, when the same master key as that registered in the deciphering unit 114a is also registered in the 
enciphering unit 107, the operation is the same as that of Method 5. 

When part of the master keys registered in the deciphering unit 114a are registered in the enciphering unit 107, 
the operation is the same as that of Method 3. 
s When one master key is registered in the enciphering unit 107, the procedure of Method 2 can be used. 

In these cases, however, in the procedure of each of Method 1 to Method 5, enciphering is replaced with deci- 
phering. Specifically, D MKi (S K ) and D SK (S K ) are transferred from the deciphering unit 114a to the enciphering unit 107. 

In addition to the configuration using the master key, various suitable configurations may be used as the configu- 
ration that safely transfers the second session key S K ' from the deciphering unit 11 4a to the enciphering unit 107 over 
10 the CPU BUS 110. For example, the techniques disclosed in Nikkei Electronics, No. 676, Nov. 18, 1996, pp. 13-14. In 
this case, it is not necessary to register a master key in the enciphering unit 107. 

(Third Embodiment) 

is Hereinafter, a third embodiment of the present invention will be explained. 

The third embodiment is, for example, a single DVD player. 

FIG. 9 is a block diagram of a system according to the third embodiment of the present invention. An example of 
the operation of the third embodiment is shown in the flowchart of FIG. 10. 

The third embodiment is what is obtained by eliminating from the configuration of the second embodiment the 
2° portion related to the operation of exchanging an enciphered key between the enciphering unit and deciphering unit 
by use of the second session key 

As shown in FIG. 9, the system of the third embodiment comprises a DVD driving unit (not shown) that reads the 
data from a DVD 101 and a deciphering unit 114b. 

The deciphering unit 114b includes a deciphering circuit 112, a key judging circuit 120, a demodulation/ error 
25 correction circuit 117, and a demodulation/error correction circuit 118. In the third embodiment, the deciphering unit 
114b is assumed to include an MPEG decoder circuit 115 and a conversion circuit 116 that converts the digital deci- 
phered data into analog data. 

As shown in FIGS. 6A and 6B, the key judging circuit 120 includes a deciphering circuit 112, a comparison circuit 
121 , and a gate circuit 122. 

30 Although in FIG. 9 and FIGS. 6A and 6B, the deciphering unit 11 4b has a total of three deciphering circuits 11 2, 

including the two deciphering circuits 1 1 2 in the key judging circuit 1 20, it is assumed that it actually has one deciphering 
circuit. Each of the demodulation/error correction circuit 117 and the demodulation/error correction circuit 118 may be 
provided in the unit in the preceding stage, not in the enciphering unit 107. 
The deciphering unit 114b is composed of a single independent IC chip. 
35 In the deciphering unit 114b, a master key, explained later, has been registered. It is assumed that the master key 

has been recorded in a secret area in the deciphering unit chip so that the user cannot externally take out the master key. 

In the third embodiment, there are an n number of master keys. A first session key is represented by S K , a second 
session key S K ', the i-th master key M KI (i is in the range of 1 to n), and image data (i.e., the data to be enciphered) Data. 
In FIG. 9, numeral 102-1 indicates E MKi (S K ) created by enciphering the first session key SK using the master key 
40 M^, 102-2 E SK (S K ) created by enciphering the first session key S K using the first session key S K itself, 103 E SK (Data) 
created by enciphering the image data Data using the first session key S^, 105 the master key M Ki , and 113 the first 
session key S K . 

As in the second embodiment, several methods can be considered as to how to set the number of types of E^i 
(S K ) created by enciphering the first session key SK recorded on the DVD 101 using the master key M w and how to 
45 set the number of types of master key M K j the deciphering unit 11 4b has in it. For example, they are as follows. 

(Method 1 ) One master key E MKi (S K ) (i is in the range of 1 to n) is recorded on the DVD 101 . The deciphering unit 
1 14b has an n number of master keys M^ (j = 1 to n) in it. 

(Method 2) An n number of master keys E MKI (S K ) (i = 1 to n) are recorded on the DVD 101. The deciphering unit 
114b has one master key M K j (j has a value in the range of 1 to n) in it. 
so (Method 3) An n number of master keys E MKi (S K ) (i = 1 to n) are recorded on the DVD 101 . The deciphering unit 

1 14b has an m (2 < m < n) number of master keys M Kj (j is in the range of 1 to n) in it. 

(Method 4) An m (2 < m < n) number of master keys E MKj (S K ) (i is in the range of 1 to n) are recorded on the DVD 
101 . The deciphering unit 1 14b has an n number of master keys M Kj (j = 1 to n) in it. 

(Method 5) An n number of master keys E MKj (S K ) (i = 1 to n) are recorded on the DVD 101 . The deciphering unit 
ss 1 14b has an n number of master key M K j (j = 1 to n) in it. 

As shown in FIG. 3, it is assumed that on the DVD 101, one (in the case of Method 1) or more (in the case of 
Method 2 to Method 5) E MKi (S K ) created by enciphering the first session key S K using the master key M Ki are recorded 
in the key recording area (lead-in area) in the innermost circumference portion and the E SK (Data) created by enciphering 
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the image data Data using the first session key S K is recorded in the data recording area (data area). 

Next, the operation of the third embodiment will be explained by reference to the flowchart of FIG. 10. The operation 
of the third embodiment is what is obtained by eliminating from the operation of the second embodiment the portion 
related to the operation of exchanging an enciphered key between the enciphering unit and deciphering unit by use of 
s the second session key. 

At step S31, the first session key E SK (S K ) enciphered using the first session key S K itself is read from the DVD 
1 01 , on which the DVD driving unit (not shown) has recorded the first session key, and then is loaded into the deciphering 
unit 114b. At that time, the demodulation/error correction circuit 117 performs demodulation and data error correction. 
At step S32, the first session key E MKi (S K ) enciphered using the master key M Ki is read from the DVD 101. on 
10 which the DVD driving unit (not shown) has recorded the master key, and then is loaded into the deciphering unit 11 4b. 
At that time, the demodulation/ error correction circuit 117 performs demodulation and data error correction. 
At step S33, the first session key S K is obtained using the key judging circuit 120. 

The operation of obtaining the first session key S K differs depending on Method 1 , Method 2, or Method 3 to Method 
5. Each case is the same as explained in the second embodiment, so explanation of them will not be given. 
15 After the first session key S K has been obtained, the image data Data is extracted from the enciphered image data 

E SK (Data) using the first session key S K at steps S34 to S36. The operation at step S34 to S36 are the same as that 
of steps S20 to S22 explained in the second embodiment (i.e., that of steps S6 to S8 explained in the first embodiment) 
except that there is no exchange of the image data Data between the units via the CPU BUS. 

As described earlier, the image data Data is decoded at the MPEG decoder circuit 115. After the decoded signal 
20 has been converted by the D/A converter circuit 116 into an analog signal, the analog signal is sent to the imaging 
device (not shown), such as a television, which reproduces the image. 

In Method 3, too, step S31 may be executed before step S32 or vice versa. 

Furthermore, in method 2 and in method 3 to method 5, step S32 and step S33 may be executed in a batch 
processing manner using all the n number of (enciphered) master keys (in the case of Methods 2, 3, and 5) or all the 
25 m number of (enciphered) master keys (in the case of Method 4) recorded on the DVD or using a specific number of 
master keys at a time. They may be executed one after another for each master key. 

Step S34 and step S35 may be executed by the method of carrying out the steps in units of E SK (Data), the method 
of reading a specific number of E SK (Data) at step S34, storing the read-out data in a buffer temporarily, and then 
deciphering E SK (Data) in the buffer at step S35, or the method of carrying out step S34 and step S35 in a pipeline 
30 processing manner. 

Moreover, the deciphering unit 114b may transfer the image data E SK (Data) to the MPEG decoder circuit 115 in 
units of one Data item or a specific number of Data items. 

With the third embodiment, the wrongful conduct of making unauthorized copies and selling the thus copied me- 
diums can be prevented, thereby protecting copyrights. 
35 Furthermore, with the third embodiment, it is possible to select and use a suitable master key in a predetermined 

range in recording the data on a DVD. The master keys can be allocated in a specific unit, such as to a DVD player 
maker, a DVD maker or a DVD distributor. 

Still furthermore, with the third embodiment, because the circuits used for enciphering and deciphering can be 
designed separately from the essential portion of the reproducing section of the digital recording and reproducing 
40 apparatus, such as a DVD, as seen from FIG. 1 , even if the cipher is broken, the deciphering unit 114b has only to be 
replaced to overcome this problem. 

While in the third embodiment, the deciphering unit 114b has one deciphering circuit, it may have two or three 
deciphering circuits. In these cases, it is desirable that the enciphering circuits should be paired with the corresponding 
deciphering circuits and each pair be used independently or be shared. 
45 When a set of an enciphering circuit and its corresponding deciphering circuit is used independently, an enciphering 

method different from that in another enciphering circuit and deciphering circuit may be used in the enciphering circuit 
and its corresponding deciphering circuit in the independent set. 

Until now, the first embodiment, the second embodiment (specifically, the three types of configuration), and the 
third embodiment (specifically, the three types of configuration) have been explained. The present invention is not 
50 limited to these embodiments, but may be practiced or embodied in still other ways without departing from the spirit or 
essential character thereof. 

Although the embodiments have been explained using a DVD as information recording medium, the present in- 
vention may be applied to other recording mediums, such as CD-ROMs. 

While in the embodiments, the image data has been used as the information to be deciphered, the present invention 
55 may be applied to reproducing devices of other types of information, such as sound, text, or programs. 

While in the embodiments, the data Data is image data, the configuration may be designed to use key information 
S Kt as the data Data. Specifically, E SK (S Kt ) and E SKt (Data) may be recorded on a recording medium, such as a DVD, 
beforehand in place of E SK (Data), then S Kt is first obtained at the deciphering units 114, 114a, 114b through the pro- 
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cedure in each of the embodiments, and E SKt (Data) is deciphered using the S Kt to produce the actual contents of the 
data. The hierarchization of keys may be carried out over any number of levels of hierarchy. 

While in the embodiments, the information to be deciphered has been compressed according to the MPEG2 stand- 
ard, the present invention is not restricted to this. The data may be compressed or enciphered according to another 
5 standard. In this case, a decoder circuit corresponding to another standard has to be provided instead of the MPEG 
decoder circuit 115. The data may not be enciphered. In this case, the MPEG decoder circuit 115 is eliminated. 

To output any data items compressed by various methods (or data items requiring no deciphering), several types 
of decoder circuits may be provided and switched suitably. In this case, a method can be considered which reads an 
identifier indicating the decoder to be used from a recording medium, such as a DVD, and selects a suitable decoder 
io circuit according to the identifier. 

The configurations of the key judging circuit 120 shown in FIGS. 6A and 6B in the second and third embodiments 
are illustrative and not restrictive. Other configurations of the key judging circuit may be considered. 

Various types of the configuration that uses E SK (S K ) as key judgment information may be considered. For instance, 
D SK (S K ) is used as information used for key judgment. The key judging circuit 120 deciphers E MKi (S K ) read from a 
is recording medium, such as a DVD, using master key M K j to produce S Ki j = D MK j(E MKj (S K )), deciphers the using 
the Sjq itself to produce S K " = D^^S^), and compares the S K " with D SK (S K ) read from a recording medium, such as 
a DVD. When they coincide with each other, the key judging circuit judges that the first session key S K = S Ki j is correct 
and outputs it. 

As other examples of key judgment information, the one enciphered or deciphered twice or more times, such as 
20 E SK (E SK (S K )) or D SK (D SK (S K )) may be considered. In addition, E MKI (E MK j(S K )) may be provided for each E MKi (S K ). 

In the embodiments, on the basis of the key judgment information, a judgment is made through the procedure 
shown in each of Method 1 to Method 5 as to whether the key obtained by deciphering is the correct first session key. 
However, the key judgment information, key judging procedure, and the structure for key judgment can be eliminated 
by recording all the E MKi (S K ) on a recording medium, such as a DVD, in order of i and registering them in the deciphering 
25 unit in such a manner that i corresponds to M Kj . When M w for a certain i becomes unusable, it is desirable that infor- 
mation indicating invalidity should be stored on a recording medium, such as a DVD, in place of E MKI (S K ). 

A key control method followed by disk makers (assumed to be makers that produce DVDs for writings, including 
movies and music), player makers (assumed to be makers that produce DVD players), and a key control organization 
that controls master keys will be described taking a DVD-ROM as example, by reference to FIG. 11. Here, in addition 
30 to the contents, Data may be key information, as described earlier (explanation of the case where enciphering or 
deciphering is done using key information S Kt when Data is key information S Kt will be omitted). In FIG. 11 , a computer 
used for processing is not shown. 

FIG. 12 is a diagram to help explain a system for deciphering. Enciphering circuits 301 , 312, 303 in FIG. 12 may 
be on the same unit (e.g., a computer) or on different units (e.g., computers). In the latter case, information is exchanged 
35 between the units. The enciphering circuits 301, 312, 303 may be constructed in hardware or in software. 

Explanation will be given about a case where an n number of master keys E MKj (S K ) (i = 1 to n) are recorded on a 
DVD. A DVD player (a deciphering unit 114b) has an m (2 < m < n) number of master keys M^ (j is in the range of 1 
to n) in it. The m number of master keys have been selected from the n number of master keys beforehand. The master 
keys M K j are assumed to be allocated exclusively to the DVD player maker. It is assumed that n = 1 00 and m = 10. 
40 A method of recording E SK (S K ) on a DVD as key judgment information is used (the section indicated by numeral 

302 in FIG. 12 uses E SK (S K ) as key judgment information). 

A key control organization 200 keeps master keys M Kj (i = 1 to 100). It is desirable that the number of master keys 
should be set at a larger value than necessary in preparation for the entry of a new player maker or in case a master 
key is broken. 

45 The key control organization 200 exclusively allocates the master keys M Ki (i = 1 to 100) to the individual player 

makers 201 to 203. For example, as shown in FIG. 11, it allocates master keys M Ki (i = 10 to 19) to player maker A, 
master keys M Ki (i = 20 to 29) to player maker B, and master keys M Kj (i = 30 to 39) to player maker C. The key control 
organization 200 sends the allocated master keys to the individual player makers by means of communication mediums 
or recording mediums. At that time, it is desirable that they should be exchanged safely by enciphered communication. 

50 Each player maker controls the master keys allocated by the key control organization 200. Using the allocated 

master keys, each player maker manufactures DVD players with the configuration as shown in the third embodiment 
and sells the resulting products. 

It is assumed that the key control organization 200 does not give the plain data on the master keys to disk makers 
221 to 223. 

55 First, each disk maker (e.g., maker a) determines the first session key S K (e.g., for each disk) by itself, and gives 

the first session key S K to the key control organization 200. The key control organization 200 enciphers the received 
first session key S K using all the master keys M Kj (i = 1 to 100) to produce E MKj (S K ) (i = 1 to 100) (using the enciphering 
unit 301 of FIG. 12). Then, the key control organization 200 gives E MKi (S K ) (i = 1 to 100) to disk maker a. 
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It is desirable that the exchange of the allocated master keys between the key control organization 200 and the 
disk maker should be made by means of communication mediums or recording mediums through enciphered commu- 
nication. 

Disk maker a records E MKI (S K ) (i = 1 to 100), E SK (S K ), and E SK (Data) on a DVD 231 . The operation of enciphering 
5 S K with S K itself to produce E SK (S K ) is carried out by the disk maker side or by the key control organization 200 side 
(using the enciphering circuit 321 of FIG. 12) in the case of enciphering with a mater key. It is assumed that at least 
the enciphering of the contents is done at the disk maker side (using the enciphering circuit 303 of FIG. 12). 

Disk maker a controls the received E MKi (S K ), key judgment information E SK (S K ), and E SK (Data) (or Data) for S K , 
for example. 

10 The same is true for the other disk makers. 

In case it is found that the master key has been broken, from that time on, DVDs are manufactured without using 
the broken master key. For example, if the master key for i = 19 has been broken, ninety-nine E MKi (S K ) corresponding 
to i = 1 to 18 and 20 to 100 are recorded on a DVD. 

In case it is found that the master key has been broken, it is desirable that the player maker to which the broken 
15 master key has been allocated should manufacture and sell DVD players excluding the broken master key. For example, 
if the master key for i = 19 has been broken, player maker A manufactures DVD players using the master keys for i = 
10 to 18 and sells the resulting products. 

The already sold DVD player having the master key for i = 19 may be used without any modification. It may be 
modified so as not to have the master key for i = 1 9. 
20 Consequently, the master keys can be controlled safely and effectively. In addition, the risk of the master key being 

deciphered in an unauthorized manner can be dispersed and even after the deciphering of the master key, the system 
can function safely and effectively. 

As describe in detail, with the present invention, only the correct maker having at least one of a plurality of second 
keys can get the first key and therefore can get the plain data of the data enciphered using the first key. 
25 As a result, the wrongful conduct of making unauthorized copies and selling the thus copied mediums can be 

prevented, thereby protecting copyrights. 



Claims 

30 

1. An enciphering method characterized by comprising the steps of: 

enciphering data with a first key (303); and 

enciphering said first key with each of a plurality of predetermined second keys (301 ). 

35 

2. An enciphering method according to claim 1 , characterized in that said data includes at least one of key information, 
documents, sound, images, and programs. 

3. A recording medium having information items recorded thereon, said information items characterized by compris- 
40 ing: 

first information (E SK (D)) obtained by enciphering data with a first key; and 

second information (E MKi (S K )) obtained by enciphering said first key with each of a plurality of predetermined 
second keys. 

A recording medium manufacturing method characterized by comprising the steps of: 
obtaining first information by enciphering data with a first key (303); 

obtaining second information obtained by enciphering said first key with each of a plurality of predetermined 
so second keys (301 ); and 

recording said first and second information on the same recording medium. 

5. A deciphering method characterized by comprising the steps of: 

55 inputting first information obtained by enciphering data with a first key and second information obtained by 

enciphering said first key with each of a plurality of predetermined second keys (S34, S32); 
deciphering said first key using at least one of said second keys (S33) to obtain said first key; 
determining by a specific method whether or not the obtained first key is correct (S33); and 
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deciphering said data using said first key after the determination to obtain said data (S35). 

6. A deciphering method according to claim 5, characterized in that said data includes at least one of key information, 
documents, sound, images, and programs. 

5 

7. A deciphering device characterized by comprising: 

input means (112) for inputting first information obtained by enciphering data with a first key and second in- 
formation obtained by enciphering said first key with each of a plurality of predetermined second keys; 
10 storage means (105) for storing at least one of said second keys; and 

deciphering means (112, 120) for deciphering said first key from said second information inputted from said 
input means using at least one of said second keys in said storage means, determining by a specific method 
whether or not the obtained first key is correct, and deciphering said data from said first information using said 
first key after the determination to obtain said data. 

15 

8. A recording and reproducing device characterized by comprising: 

reading means (112) for reading first information and second information from a recording medium on which 
said first information obtained by enciphering data with a first key and said second information obtained by 
20 enciphering said first key with each of a plurality of predetermined second keys have been stored; 

storage means (105) for storing at least one of said second keys; and 

deciphering means (1 1 2, 120) for deciphering said first key from said second information read by said reading 
means using at least one of said second keys in said storage means, determining by a specific method whether 
or not the obtained first key is correct, and deciphering said data from said first information using said first key 
25 after the determination to obtain said data. 

9. A key control method characterized by comprising the steps of: 

causing a first caretaker (200) to take custody of a plurality of predetermined second keys; 
30 causing a second caretaker (221 to 223) to take custody of first information obtained by enciphering data with 

a first key and second information obtained by enciphering said first key with each of said predetermined 
second keys; and 

causing a third caretaker (201 to 203) to take custody of at least one of said second keys. 

35 10. A deciphering device characterized by comprising: 

reading means (112) for reading first information, second information, and third information from a recording 
medium on which said first information obtained by enciphering data with a first key, said second information 
obtained by enciphering said first key with each of a plurality of predetermined second keys, and said third 
40 information used for key determination have been stored; 

storage means (105) for storing at least one of said second keys; 

first deciphering means (112, 120) for deciphering one of the enciphered first keys selected in the order de- 
termined from said second information using one second key selected in the order determined from said sec- 
ond keys stored in said storage means, determining on the basis of said deciphering result and said third 
45 information whether or not said first key obtained by said deciphering is correct, and repeating said selection 

and said determination until the first key determined to be correct has been obtained; and 
second deciphering means (112) for deciphering said data from said first information using said first key said 
first deciphering means has determined to be correct. 

so 11. A deciphering device characterized by comprising: 

a first unit (107) built in a driving unit of a recording medium or connected to the driving unit of said recording 
medium without the CPU bus of a computer, including: 

means (104. 117, 118) for transferring first information obtained by enciphering the data read from said 
55 recording medium with a first key, second information obtained by enciphering said first key with each of a 

plurality of predetermined second keys, and third information used for key determination in such a manner 
that at least said second information and third information are transferred safely without being externally ac- 
quired; and 
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a second unit (114a) connected to said first unit via the CPU bus of said computer including: 

means (112) for receiving said first information, second information, and third information from said first 
unit via the CPU bus of said computer in such a manner that at least said second information and third 
5 information are received safely without being externally acquired; 

storage means (105) for storing at least one of said second keys; 

first deciphering means (112, 120) for deciphering one of the enciphered first keys selected in the order 
determined from said second information using one second key selected in the order determined from 
said second keys stored in said storage means, determining on the basts of said deciphering result and 
10 said third information whether or not said first key obtained by said deciphering is correct, and repeating 

said selection and said determination until the first key determined to be correct has been obtained; and 
second deciphering means (112) for deciphering said data from said first information using said first key 
said first deciphering means has determined to be correct. 

is 12. A deciphering device characterized by comprising: 

reading means (112) for reading first information, second information, third information, and fourth information 
from a recording medium on which said first information obtained by enciphering a third key with a first key, 
said second information obtained by enciphering said first key with each of a plurality of predetermined second 
20 keys, said third information used for key determination, and said fourth information obtained by enciphering 

data with said third key have been stored; 

storage means (105) for storing at least one of said second keys; 

first deciphering means (112, 120) for deciphering one of the enciphered first keys selected in the order de- 
termined from said second information using one second key selected in the order determined from said sec- 
25 ond keys stored in said storage means, determining on the basis of said deciphering result and said third 

information whether or not said first key obtained by said deciphering is correct, and repeating said selection 
and said determination until the first key determined to be correct has been obtained; 

second deciphering means (112) for deciphering said third key from said first information using said first key 
said first deciphering means has determined to be correct; and 
30 third deciphering means (112) for deciphering said data from said fourth information using said third key ob- 

tained by said second deciphering means. 

13. A deciphering device according to any one of claims 8 to 10, characterized in that: 

35 said third information is information obtained by enciphering said first key with said first key itself; and 

when the key obtained by deciphering one of said second information using one of said second keys stored 
in said storage means coincides with the key obtained by deciphering said third information using the former 
key, said first deciphering means (112, 120) determines that the former key is the correct first key. 

40 14. A deciphering device according to any one of claims 10 to 1 3, characterized in that said data includes at least one 
of key information, documents, sound, images, and programs. 

15. A deciphering method characterized by comprising the steps of: 

45 reading first information, second information, and third information from a recording medium on which said 

first information obtained by enciphering data with a first key, said second information obtained by enciphering 
said first key with each of a plurality of predetermined second keys, and said third information used for key 
determination have been stored (S31 , S32, S34); 

deciphering one of the enciphered first keys selected in the order determined from said second information 
so using one second key selected in the order determined from said second keys, determining on the basis of 

said deciphering result and said third information whether or not said first key obtained by said deciphering is 
correct, and repeating said selection and said determination until the first key determined to be correct has 
been obtained (S33); and 

deciphering said data from said first information using said first key determined to be correct (S35). 
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16. A deciphering method characterized by comprising the steps of: 

transferring first information obtained by enciphering the data read from a recording medium with a first key, 
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second information obtained by enciphering said first key with each of a plurality of predetermined second 
keys, and third information used for key determination from a first unit built in a driving unit of said recording 
medium or connected to the driving unit of said recording medium without the CPU bus of a computer to a 
second unit via the CPU bus of the computer in such a manner that at least said second information and third 

s information are transferred safely without being externally acquired (S1 5, S16, S20); and 

in said second unit, deciphering one of the enciphered first keys selected in the order determined from said 
second information using one second key selected in the order determined from said second keys stored in 
said storage means, determining on the basis of said deciphering result and said third information whether or 
not said first key obtained by said deciphering is correct, repeating said selection and said determination until 

10 the first key determined to be correct has been obtained, and deciphering said data using said first key deter- 

mined to be correct (S17 to S1 9, S21 ). 

17. A deciphering method characterized by comprising the steps of: 

'5 reading first information, second information, third information, and fourth information from a recording medium 

on which said first information obtained by enciphering at least a third key with a first key, said second infor- 
mation obtained by enciphering said first key with each of a plurality of predetermined second keys, said third 
information used for key determination, and said fourth information obtained by enciphering data with said 
third key have been stored (S31 , S32, S34); 

20 deciphering one of the enciphered first keys selected in the order determined from said second information 

using one second key selected in the order determined from said second keys, determining on the basis of 
said deciphering result and said third information whether or not said first key obtained by said deciphering is 
correct, and repeating said selection and said determination until the first key determined to be correct has 
been obtained (S33); 

25 deciphering said third key from said first information using said first key determined to be correct (S35); and 

deciphering said data from said fourth information using said third key obtained (S36). 

18. A deciphering unit device that receives information via the CPU bus of a computer from a bus transfer unit built in 
a driving unit of a recording medium or connected to the driving unit of said recording medium without the CPU 

30 bus of the computer and deciphers data on the basis of the information, said deciphering unit device characterized 

by comprising: 

means (112) for receiving first information obtained by enciphering the data read from said recording medium 
with a first key, second information obtained by enciphering said first key with each of a plurality of predeter- 
3S mined second keys, and third information used for key determination from said bus transfer unit via the CPU 

bus of said computer in such a manner that at least said second information and third information are received 
safely without being externally acquired; 

storage means (105) for storing at least one of said second keys; 

first deciphering means (112, 120) for deciphering one of the enciphered first keys selected in the order de- 
40 term in ed from said second information using one second key selected in the order determined from said sec- 

ond keys stored in said storage means, determining on the basis of said deciphering result and said third 
information whether or not said first key obtained by said deciphering is correct, and repeating said selection 
and said determination until the first key determined to be correct has been obtained; and 
second deciphering means (112) for deciphering said data from said first information using said first key said 
45 first deciphering means has determined to be correct. 
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